Documente Academic
Documente Profesional
Documente Cultură
Document Release Date: November 2012 Software Release Date: November 2012
Legal Notices
Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. Restricted Rights Legend Confidential computer software. Valid license from HP required for possession, use, or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Copyright Notice Copyright 2012 Hewlett-Packard Development Company, L.P.
Documentation Updates
The title page of this document contains the following identifying information: Software version number Document release date, which changes each time the document is updated Software release date, which indicates the release date of this version of the software
To check for recent updates or to verify that you are using the most recent edition of a document, go to: http://h20230.www2.hp.com/selfsolve/manuals This site requires that you register for an HP Passport and sign in. To register for an HP Passport ID, go to: http://h20229.www2.hp.com/passport-registration.html You will also receive updated or new editions if you subscribe to the appropriate product support service. Contact your HP sales representative for details. Part Number: 1-151-2012-11-370-01
Contents
Chapter 1: Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Typographic Conventions Used in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Accessing HP Fortify Software Security Center Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Contacting HP Fortify. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Corporate Headquarters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 HP Corporate Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 HP Fortify Assistive Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2: Securely Deploying Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Overview of Secure Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Securing Access to Facilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Securing the Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Setting Application Server Attributes to Protect Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Using HTTPS and SSL Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Securing Passwords and User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Managing Computer Services and Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 3: Overview of HP Fortify Software Security Center and its Deployment. . . . . . . . . . . . . . . . . . . . . . 13
The Central Role of Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Overview of the Software Security Center Installation Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Overview of Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 High-Level Deployment Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 4: Deploying Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Overview of Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Downloading Software Security Center Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Setting Up Your Application Server for Software Security Center Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . 20 Configuring pragma no-cache on Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Preparing Apache Tomcat for Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Preparing IBM WebSphere for Software Security Center Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Unpacking and Deploying Software Security Center Software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Downloading the JDBC Driver. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Installing and Configuring Database Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
iii
Creating the Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Database Instance and Privileges Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Database-Specific Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Creating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Configuring the Database Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Selecting the JDK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Seeding the Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 5: Configuring Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Starting the Software Security Center Configuration Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuration Tool Tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Configuring an Eclipse plug-in Update Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configuring User Account Timeout and Lockout Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Configuring a Proxy for Secure Coding Rulepacks Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Configuring Email Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Configuring Bug Tracker Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Additional Bug Tracker Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing Logon Credentials for Bug-Tracking Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Viewing Previously Logged Bugs in Collaboration Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing the Bug-Tracking System for a Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 43 45 46
Configuring Single Sign-On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configuring HP Fortify CloudScan Monitoring and Troubleshooting in Software Security Center . . . . . . . 48 Configuring LDAP User Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Overview of Software Security Center User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Database-only Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Software Security Center LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Preparing to Configure LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Download the JXplorer LDAP Browser . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Create an LDAP Account for use by Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Avoid Conflicts Between Account Names. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Gather and Record Required Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 50 50 50
Deploying Software Security Center in Your Application Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Deploying Software Security Center in Tomcat Application Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploying Software Security Center in WebLogic Application Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deploying Software Security Center in JBoss Enterprise Application Platform . . . . . . . . . . . . . . . . . . . . . Deploying Software Security Center in WebSphere. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 55 55 56
iv
Starting Software Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Logging On to Software Security Center for the First Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Overview of Software Security Center User Administration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Security Lead, Manager, and Developer Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Registering LDAP Entities with Software Security Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Managing LDAP User Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 How Software Security Center Determines Group Membership. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Mapping Software Security Center Roles to LDAP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Creating Custom Project Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 7: Using the fortifyclient Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Requirements for Using fortifyclient . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Understanding fortifyclient Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Running the fortifyclient Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 Specifying the Software Security Center URL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing fortifyclient Options and Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Acquiring an Upload Authentication Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing fortifyclient Authentication Tokens. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing Project Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Uploading FPRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Downloading FPRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Importing Content Bundles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing Runtime Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Archiving Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Listing Runtime Archives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Restoring Runtime Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 63 63 64 64 64 66 67 68 69 69 70
Overview of Upgrading a Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Preparing to Upgrade Your Software Security Center Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 MySQL Server: Setting the Innodb Buffer Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring Connectivity to the Upgraded Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Running Software Security Center Database Upgrade Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Preparing to Run the Database Upgrade Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Generating and Running the Database Migration Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Re-seeding Your Upgraded Database and Deploying the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Updating the WAR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Troubleshooting Database Migration Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Use Case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Project Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Plug-in Methods and Method Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Plug-in Helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Error Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Almost Stateless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Changeset Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Debugging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
vi
Chapter 1: Introduction
About this Guide
This guide is written for users who are responsible for deploying and maintaining HP Fortify Software Security Center. It provides all of the information you need to acquire, install, and configure HP Fortify Software Security Center. This document is intended for users who are moderately knowledgeable about enterprise application development and skilled in enterprise system and database administration. It is written for: System and instance administrators Database administrators (DBAs)
If you are not installing Software Security Center for the first time, but instead need instructions on how to upgrade from an earlier version, see Chapter 8, Upgrading Software Security Center on page 71. The chapters in this document contain the following information: Chapter 1 (this chapter) contains information about this guide, its intended audience, summary of the guide contents, and the typographical conventions used. This chapter also provides descriptions of related documents that are important for Software Security Center installation, and where to get these documents. Chapter 2, Securely Deploying Software Security Center on page 11 describes guidelines for secure Software Security Center deployment. Chapter 3, Overview of HP Fortify Software Security Center and its Deployment on page 13 provides an overview of the Software Security Center system environment and its components, as well as the high-level tasks for deploying a new Software Security Center instance. Chapter 4, Deploying Software Security Center on page 18 contains instruction on how to download Software Security Center files, prepare the application server and database, and deploy Software Security Center. Chapter 5, Configuring Software Security Center on page 36 contains instruction on how to configure Software Security Center. Chapter 6, Logging On and Administering User Accounts on page 55 provides instructions on how to log on to Software Security Center and set up and manage user accounts. Chapter 7, Using the fortifyclient Utility on page 62 contains information about the fortifyclient command-line utility, and how you can use it to securely transfer objects such as Fortify project results files and content bundles to and from Software Security Center. Chapter 8, Upgrading Software Security Center on page 71 provides the information about how to upgrade an existing Software Security Center instance. Appendix A: Authoring Software Security Center Bug Tracker plug-ins on page 75 describes how to author and deploy a bug-tracking plug-in (in addition to those supplied with Software Security Center software) to use with Software Security Center.
Description In procedure steps, bold indicates controls displayed in the user interface. In command lines, italics indicate placeholders for information you supply. In documentation, italic letters indicate terms that the document uses in specific ways, usually the first time a term occurs in a topic. Italics can also denote emphasis.
ReadOnly, FileName
In text and command lines, the use of bold and italic together indicates a named argument. In command lines, valid options are enclosed between square brackets. In command lines, terms enclosed in braces and separated by a vertical bar indicate a choice among two or more items. You must choose one of the items unless all of the items are enclosed in square brackets.
In command lines, monospace font indicates code. In code examples, a column of three periods indicates that part of an example has been omitted intentionally.
backslash (\)
In code examples, the backslash character is used to continue command examples that are too long to fit on a single line. For example:
dd if=/dev/rdsk/c0t1d0s6 \ of=/dev/rst0 bs=10b count=10000
On UNIX-based systems, a long line of code is sometimes split onto two lines and indicated with a backslash. At other times, the entire code is on one line. braces { } In code examples, braces indicate required items. Example:
.DEFINE {macro1}
ellipses ()
Related Documents
The following documents provide deployment information for system administrators and DBAs: HP Fortify Software Security Center Server Requirements contains information about the hardware and software requirements and recommendations for Software Security Center. You must review this document before you start to deploy your Software Security Center instance. HP Fortify Software Security Center Release Notes document provides product information that is not included in the regular documentation set. Whats New in HP Fortify Software Security Center contains information about features added to Software Security Center since its previous release. HP Fortify Software Security Center Process Designer User Guide contains information about how to use Process Designer to create and edit process templates for your HP Fortify Software Security Center projects.
The HP Fortify Software Security Center User Guide provides all Software Security Center users with detailed information about how to use Software Security Center. For information about all of the guides in the Software Security Center documentation suite, see the About HP Fortify Documentation guide.
Contacting HP Fortify
If you have questions or comments about any part of this guide, use the HP Fortify contact information provided in the following sections.
Technical Support
650.735.2215 fortifytechsupport@hp.com
Corporate Headquarters
Moffett Towers 1140 Enterprise Way Sunnyvale, CA 94089 650.358.5600 contact@fortify.com
HP Corporate Website
http://www.hpenterprisesecurity.com
10
For information about how to set the Secure and HttpOnly attributes, see the documentation for your application server (and version).
For more information about Software Security Center account management, see the HP Fortify Security Center User Guide. If you are using LDAP to authenticate Software Security Center users, configure your LDAP server to use secure LDAP communications. For more information about configuring Software Security Center to use LDAP authentication, see Configuring LDAP User Authentication on page 49.
12
Optional components
13
ID S1
Description Software Security Center HP Fortify delivers Software Security Center as a Web Archive (WAR) file run by a web application server (A1).
D1
Required third-party Software Security Center database Stores user and artifact data Before putting the Software Security Center into production, you must install a supported third-party database.
14
Table 2: Required and optional Software Security Center installation entities (Continued)
ID A1
Description Application server Software Security Center (S1) is delivered as a Web ARchive (WAR) file, and is run by a web application server.
A2 A3
Optional third-party LDAP authentication server You can configure Software Security Center to use LDAP authentication. Optional defect-tracking server Software Security Center can be configured to enable bugs to be submitted to a Bugzilla, JIRA, or ALM bug-tracking system directly from Collaboration Module.
A4
Optional third-party email server Software Security Center can be configured to use an external SMTP email server to send alerts to project collaborators.
C1 C2
Optional HP Fortify Static Code Analyzer analysis agent SCA scans source code and identifies issues. Optional HP Fortify Program Trace Analyzer (PTA) analysis agent PTA performs pre-deployment analysis of instrumented code running in a pre-production environment.
C3
Optional HP Fortify Real-Time Analyzer: Microsoft .NET Edition analysis agent HP Fortify Real-Time Analyzer (RTA) performs analysis of instrumented code running in a production environment.
C4
HP Fortify Audit Workbench source code auditing tool Although it is technically optional, most Software Security Center installations will use Audit Workbench (AWB) to audit issues and categorize vulnerabilities.
F1 F2
HP Fortify download server, used to acquire installation programs HP Fortify RTA Rulepacks Update server, hosted by HP Fortify and used to acquire and update RTA Rulepacks
Software Security Center installation requires not only the configuration of Software Security Center to interoperate with the external components shown in Figure 1, but also configuration of the external components to interoperate with Software Security Center.
15
Task
1
Description Download the Software Security Center software files and your fortify.license file.
Where to Find Information and Instructions See Downloading Software Security Center Files on page 19 and the HP Fortify Software Security Center System Requirements document. See Setting Up Your Application Server for Software Security Center Deployment on page 20. See Unpacking and Deploying Software Security Center Software on page 26. See Downloading the JDBC Driver on page 26.
Prepare your application server for Software Security Center deployment. Unpack the installation bundle. Download the JDBC driver for the database server you plan to use. For information about supported JDBC drivers and versions, see the HP Fortify Software Security Center System Requirements document. Install and configure the database server software. For information about supported databases, see the HP Fortify Software Security Center System Requirements document. Create a Software Security Center database and run the database creation and initialization script (HP-Fortify-Server-WAR/sql/ <Database_Type>/create-tables.sql) that is packaged with the production WAR file. Use the Software Security Center Configuration Tool to configure Software Security Center properties. Configure Software Security Center to use the Java Development Kit (JDK) that is compatible with the application server you plan to use to run Software Security Center.
For information about how to configure the database for Software Security Center, see Configuring the Database Connection on page 31. For instructions, see Selecting the JDK on page 33.
16
Task
9
Description Use the Software Security Center Configuration Tool to seed the database.
Where to Find Information and Instructions For information about how to seed the Software Security Center database, see Seeding the Software Security Center Database on page 34. For information about how to configure the Software Security Center properties, see the following sections in Chapter 5, Configuring Software Security Center on page 36: Configuring an Eclipse plug-in Update Site Configuring User Account Timeout and Lockout Settings Configuring a Proxy for Secure Coding Rulepacks Updates Configuring Email Alerts Configuring Bug Tracker Integration Configuring Single Sign-On Configuring HP Fortify CloudScan Monitoring and Troubleshooting in Software Security Center Configuring LDAP User Authentication Enabling HP Fortify Real-Time Analyzer Communications
10
Use the Software Security Center Configuration Tool to configure single sign-on, email notifications, web services, and more. This chapter also provides instructions on how to configure custom attributes that your users can assign to their projects.
For information about how to configure custom attributes, see Configuring LDAP User Authentication on page 49.
11
Deploy Software Security Center in your application server. Log on to Software Security Center and administer users, manage LDAP entities and user roles, and create custom Project attributes.
For instructions, see Deploying Software Security Center in Your Application Server on page 55. For instructions, see Chapter 6, Logging On and Administering User Accounts on page 55.
12
17
18
site. To download the Software Security Center installation files: 1. Go to HPs Software Support Online website https://www.hp.com/go/softwaresupport. For complete, detailed instructions on how to download software from the HP Software Support Online site, see the Acquiring HP Fortify Software section of the HP Fortify Software Security Center System Requirements document. 2. Do one of the following: If you are deploying Software Security Center on a Windows system, download the Software_HP_Fortify_3.70_Eng_SW_Media_TF302-15079.iso file. If you are deploying Software Security Center on a Linux, UNIX, or Mac system, download the Software_HP_Fortify_3.70_Linux_Unix_Mac_TF302-15080.iso file.
3. The iso file is a disc image of the entire Software Security Center product line. After you download it and before you deploy the software, either mount the ISO image or burn it to a DVD. For detailed instructions, see the HP Fortify Software Security Center System Requirements document.
19
20
runtime environment.
If you are running Software Security Center on a Windows system, and starting the Tomcat server from the Windows command line, then before you start the Tomcat server, set the CATALINA_OPTS environment variable, as follows:
CATALINA_OPTS=-Xms256M -Xmx768M -XX:MaxPermSize=256M -Djava.awt.headless=true Configuring Tomcat Memory Using the Windows Services Tool
If you are running Software Security Center on a Windows system, and you are running Tomcat as a Windows service, you can use the Apache Tomcat Properties dialog box to specify the Software Security Center memory settings. Windows applies the memory settings whenever it starts the Tomcat service (for example, after a power-failure reboot). The procedure in this section assumes that: You are qualified to configure a Tomcat application server running on a Windows computer, and to use Windows Computer Management tools You have configured your Tomcat server to run as a Windows service
For information about configuring Tomcat, see the Tomcat documentation. To use the Windows Services tool to configure Tomcat memory settings: 1. Log on to Windows as an Administrator-level user. 2. In Windows, open the Apache Tomcat Properties dialog box, and then do one of the following: If you ran a Windows installation program to install Tomcat, select Start > Configure Tomcat. If you ran a Windows installation program to install Tomcat, go to the Windows system tray and double-click the Apache Tomcat icon. If you did not run a Windows installation program to install Tomcat, go to the Windows Computer Management tool, right-click the entry for the Tomcat service, and then select Properties.
21
4. Configure the Tomcat properties as follows: a. In the Initial memory pool box, type 256. b. In the Maximum memory pool box, type 768. c. In the Java Options box, type the following lines (including line breaks):
-XX:MaxPermSize=256M -Djava.awt.headless=true
d. Click OK. To apply the new memory settings, you must first restart the Tomcat service. However, before you do, make sure that you have configured Tomcat memory (see Preparing Apache Tomcat for Software Security Center Deployment on page 21).
The exact format for this specification depends on the shell you use to specify the settings.
22
After you complete the configuration, restart WebSphere. If you plan to deploy Software Security Center in WebSphere, complete the following tasks before you deploy Software Security Center: 1. Install a supported version of IBM Update Installer. 2. Check the HP Fortify Software Security Center Server Requirements document to make sure that you have a supported version of WebSphere application server software installed. 3. Start your WebSphere instance, and then log on to the administrative console. 4. Add a custom property on the WebSphere application server web container. (For instructions, see Adding a Custom Property on the Web Container.) 5. Set the application class-loader policy and class-loader mode.(For instructions, see Setting the Class-Loader Policy and Mode.)
23
The HP Fortify web certificate enables the instance of Software Security Center running under the WebSphere 7.0 server to establish an HTTPS connection with the HP Fortify Rulepack update server at update.fortify.com. The following procedures describe how to download a copy of the HP Fortify certificate in X.509 DER format from either a Firefox or Internet Explorer web browser window.
Using Firefox to Download a Fortify Web Certificate
To export a Fortify web certificate from Firefox: 1. Browse to the Fortify Customer Portal site (update.fortify.com), and then log on using your Customer Portal credentials. The Your Products page opens. 2. To open the certificate export tool: a. Right-click the page, and then select View Page Info from the shortcut menu. Firefox displays the Page Info window. b. In the Page Info window, click Security. c. In the Website Identity section, click View Certificate. d. In the Certificate Viewer dialog box, click the Details tab, and then click Export. 3. In the Save Certificate to File dialog box: a. Browse to the directory to which you want to save the certificate file. b. In the File Name box, type a file name, and make a note of the name. c. In the Save as type list, leave X.509 Certificate (PEM) selected. 4. Click Save. 5. Close the Certificate Viewer dialog box.
Using Internet Explorer to Download a Fortify Web Certificate
To use Internet Explorer to export a Fortify web certificate: 1. From Internet Explorer, browse to the Fortify Customer Portal site (update.fortify.com)and then log on using your Customer Portal credentials. The Your Products page opens. 2. To open the Certificate Export Wizard: a. Right-click the page, and then select Properties from the shortcut menu. b. In the Properties dialog box, click Certificates. c. In the Certificate dialog box, click the Details tab, and then click Copy to File. The Certificate Export Wizard starts. 3. To export the certificate as an X.509 DER file: a. Click Next. b. On the Export File Format step, leave DER Encoded Binary X.509 (.CER) selected, and then click Next.
24
c. On the Export to File step, browse to the directory to which you want to save the certificate file, type a file name, and then click OK. d. Click Next. e. On the completion step, review your settings, and then click Finish.
Adding the Fortify Web Certificate to the WebSphere Application Server 7.0
The final task required to configure Software Security Center to run under WebSphere Application Server 7.0 is to use IBMs iKeyman utility to add the Fortify web certificate to the certificate store of WebSphere Application Server 7.0. The following procedure describes how to add your downloaded Fortify web certificate to the WebSphere server certificate store. To add the Fortify web certificate to the WebSphere 7.0 server: 1. Start the IBM key management utility (iKeyman). For instructions, see IBMs online documentation for certificate management. 2. To open the WebSphere key store for updating: a. From the Key Database File menu, select Open. b. From the Key database type list in the Open dialog box, select PKCS12. c. Browse to <WebSphere Install Dir>/profiles/<AppServer>/config/cells/<Cell/Node Name>/Nodes/<Node Name>/trust.p12, and then click OK. The iKeyman utility prompts for a password. 3. Type the WebSphere keystore password. (The default password is WebAS.) 4. To install the Fortify web certificate: a. Click Add. b. Browse to and select your downloaded Fortify web certificate you downloaded (see Downloading an HP Fortify Web Certificate on page 24), and then click OK. The iKeyman utility prompts you to label the certificate. c. The Enter a Label box displays the default label ssc_war. Replace this value with ssc. d. Click OK. The iKeyman utility adds the Fortify web certificate to the WebSphere certificate store. 5. In the iKeyman utility, in Key Database File, click Exit. This completes configuration of the WebSphere 7.0 server to support Software Security Center.
25
Description Process templates seed bundle used the seed bundles to seed your third-party database tables Reports seed bundle used the seed bundles to seed the third-party database tables (Optional) PCI Basic bundle adds a Payment Card Industry process template and an associated report to the default set of Software Security Center process templates and reports
The process templates seed bundle and the reports seed bundles are required for Software Security Center deployment. The PCI Basic seed bundle is optional. Although you are not required to copy the resource files to the <SSC_Deploy> directory, the procedures in this document are based on the assumption that you saved the files to that location.
26
Note: HP Fortify strongly recommends that you create just one database user account that has all of the
privileges listed here, and that you create just one Software Security Center user account to perform all HP Fortify database operations, from database creation, to configuration, to seeding, and to runtime.)
27
In this example, progressiveStreaming=2 disables progressive streaming. HP Fortify does not support internationalization of DB2 databases. For more information about DB2 character set support, see Software Security Center Database Character Set Support on page 27.
To enable Microsoft SQL Server READ_COMMITTED_SNAPSHOT: 1. Verify that no other open connections to the database are open. 2. In the SQL Server database administration tool, run the following command:
ALTER Database [SSC_Server3.7_database_name] SET READ_COMMITTED_SNAPSHOT ON
28
To configure the MySQL options file: 1. Stop MySQL server. 2. Navigate to the installation directory of your MySQL server. 3. Open the MySQL options file in a text editor. On Windows systems, the default options file is my.ini. On UNIX-based systems, the default options file is my.cnf. 4. In the both the [mysqld] and [mysqldump] sections, set max_allowed_packet to 1G. 5. In the [mysqld] section, configure the system variables listed in the following table: Setting
innodb_log_file_size query_cache_type query_cache_size innodb_buffer_pool_size default_storage_engine
Value
512M 1 or 2 Between 64MB and 128MB 512MB INNODB
Oracle 11g is case insensitive by default. If you use Oracle 11g for the Software Security Center database, you must make sure that the database is case sensitive. Otherwise, logon errors can occur. For information about how to turn case sensitivity on and off, go to the following Oracle website:
http://www.oracle-base.com/articles/11g/CaseSensitivePasswords_11gR1.php Preventing the No more data to read from socket Error from Occurring
If you use Oracle 10.2.0.1.0 as the Software Security Center database, you may experience an exception of the type No more data to read from socket. To prevent this exception from occurring, do the following: 1. Navigate to the $ORACLE_HOME/network/admin/ directory and open the tnsnames.ora file in a text editor. 2. Set the value of SERVER to DEDICATE. 3. To apply the change, go to Windows Services and restart the active listener associated with the database.
29
Security Center Server database, resulting in permanent data loss. Instead, upgrade your existing database. For information about how to upgrade your existing database for use with Software Security Center, see Chapter 8, Upgrading Software Security Center on page 71. To run the Software Security Center database creation and initialization scripts: 1. Navigate to the HP-Fortify-Server-WAR/sql directory and locate the subdirectory for the third-party database you plan to use with Software Security Center. The subdirectories for each type of supported database are as follows:
db2 MySQL Oracle SQLserver
2. Copy the scripts from the subdirectory that matches your Software Security Center database type to the database server or other location where you will run the scripts. 3. In the database client program, log onto the database account you created for use with Software Security Center. 4. To create and initialize the Software Security Center database tables, run the following:
create-tables.sql
30
3. If you are configuring the Software Security Center database for the first time, click Add JDBC Driver. The Locate JAR file dialog box opens. 4. Browse to the location of your JDBC driver. The Software Security Center Configuration Tool uses the JDBC driver to populate the DB Driver Class list at the top of the Database Setup tab. For more information about database driver requirements, see Obtaining the Database Driver Class on page 27.
31
5. In the JDBC URL box, type the URL for the Software Security Center database. (For information about the syntax to use for the URL, see the documentation for your database.)
Warning: If SQL Server is configured to use any character encoding other than Unicode, you must append
Example: jdbc:jtds:sqlserver://dbhost:1433/ssc;sendStringParametersAsUnicode=false 6. In the DB Username box, type the username for the Software Security Center database. 7. In the DB Password box, type the password for the Software Security Center database. 8. From the DB Type list, select the type of database you are using. 9. To test the settings, click Test JDBC. 10. Do one of the following: Seed the new Software Security Center database instance. (See Seeding the Software Security Center Database on page 34.) If this is a new Software Security Center database, you must seed the database before you start Software Security Center. Click Save & Exit.
32
2. From the Application Server JDK Version list, select the JDK to use to run your application server. For a list of supported JDKs for the supported application servers, see the HP Fortify Software Security Center System Requirements document. 3. Click Save & Exit.
33
These are the seed bundles you downloaded. (See Downloading Software Security Center Files on page 19.) You can also install the optional PCI Basic Bundle (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), which adds a Payment Card Industry process template and an associated report to the default set of Software Security Center process templates and reports. After you complete the installation and seeding, you can use the Software Security Center user interface to modify any user-configurable data entities created in the seeding process.
To seed a new Software Security Center database: 1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.) 2. Click the Database Setup tab. 3. Check to make sure that the database user credentials specified in the DB Username and DB Password boxes correspond to a database user account with sufficient privileges to create, alter, and drop tables, views, indexes, and stored procedures. If you are using an Oracle database, make sure that the user account also has permission to enable sequences.
34
4. To seed the Software Security Center database with the default process templates: a. Click Seed Process Templates. The Locate Process Template configuration file dialog box opens. b. Browse to the process templates seed bundle file
(HP_Fortify_Process_Seed_Bundle_2012_Q2.zip), and then click Open.
5. To seed the Software Security Center database with the default set of reports: a. Click Seed Reports. The Locate Report configuration file dialog box opens. b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2012_Q2.zip), and then click Open. 6. (Optional) To seed the Software Security Center database with the optional PCI Basic Bundle: a. Click Seed Reports. The Locate Report configuration file dialog box opens. b. Select the report seed bundle file (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), and then click Open. 7. Click Validate DB. 8. After successful validation, click Save & Exit.
To add a post-installation seed bundle to a configured Software Security Center database: 1. Open a command prompt and change to the <SSC_Deploy> directory. 2. Do one of the following: On a Windows system, run:
ssc-configuration.cmd -seedOnly -war ssc.war -bundle <Seed_Bundle_Name>.zip
where <Seed_Bundle_Name> represents the full path to a Software Security Center seed bundle.
35
The system prompts you to specify the location of the WAR file for Software Security Center. 2. Browse to and select the ssc.war file, and then click Open. The system loads the WAR file, and then prompts you to specify the location of the license file for Software Security Center. 3. Browse to and select the fortify.license file, and then click Open. The configuration tool opens to the Core tab. The next sections provide information about the settings on each of the configuration tool tabs.
Description Use to select or configure the following: Application server JDK version used to run Software Security Center Software Security Center password timeout and Rulepack proxy settings
For information on selecting the JDK used to run Software Security Center, see Selecting the JDK on page 33. For a list of supported JDKs for the supported application servers, see the HP Fortify Software Security Center System Requirements document. To learn how to configure Software Security Center user account timeout and lockout settings, see Configuring User Account Timeout and Lockout Settings on page 38. For information about how to configure a proxy server for Software Security Center rulepack updates, see Configuring a Proxy for Secure Coding Rulepacks Updates on page 40. Database Setup Use to specify the location and credentials of the Software Security Center thirdparty database To learn how to configure Software Security Center database settings, see Creating the Software Security Center Database on page 27.
36
Description Use to configure Software Security Center to interoperate with a Central Authentication Server settings Use to configure the email server settings used to send email alerts to users To learn how to configure Software Security Center email settings, see Configuring Email Alerts on page 41.
Use to configure Software Security Center operation parameters Use the default values unless HP Fortify support directs you to change them. Use to configure Software Security Centers Quartz job scheduler Use the default values unless HP Fortify support directs you to change them. Use to configure Software Security Center to interoperate with an LDAP authentication server For information about how to configure Software Security Center LDAP settings, see Configuring LDAP User Authentication on page 49.
RTA
Use to enable or disable RTA communications with Software Security Center For information about how to configure Software Security Center communications RTA see Enabling HP Fortify Real-Time Analyzer Communications on page 54.
SSO
Use to configure Software Security Center to interoperate with a single sign-on server For information about how to configure Software Security Center SSO, see Configuring Single Sign-On on page 46.
Web Services
Use to configure Software Security Center web services Use the default values unless HP Fortify support directs you to change them.
37
User Account Parameter Inactive Session Timeout (minutes) Absolute Session Timeout (minutes) Logon Attempts before Lockout
Default Value and Description Default: 30 minutes Number of minutes a user can be inactive before Software Security Center automatically logs the user off. Default: 240 minutes Number of minutes of a user can be continuously active before Software Security Center automatically logs the user off. Default: 3 attempts Number of times a user can try to log on to Software Security Center using invalid credentials before being locked out. If Software Security Center locks a user out, that user is prevented from attempting a new logon for the number of minutes specified for
Lockout time.
Default: 30 days Number of days the Software Security Center password before the user must change it.
Lockout time
Default: 30 minutes If a user attempts and fails to log on to Software Security Center the number times specified for Logon Attempts before Lockout, Software Security Center locks the user out for the number of minutes specified for Lockout time.
When Software Security Center imports runtime events into project versions, it converts the events into issues. At times, multiple events are imported as one single issue. Use this box to specify the maximum number of events that Software Security Center can convert into a single issue.
38
Table 5: Software Security Center user account timeout and lockout settings (Continued)
User Account Parameter Base URL for Runtime Event description server
Default Value and Description The runtime event details include a link to a description of the event category, which is hosted on a Software Security Center instance. If you do not want your Software Security Center instance to access the internet, change the base URL for these event category descriptions.
To specify Software Security Center user account timeout and lockout settings: 1. Start the Software Security Center Configuration Tool. (See Starting the Software Security Center Configuration Tool on page 36.) 2. On the Core tab, configure the Software Security Center user account lockout and time settings described in Table 5. 3. Click Save & Exit.
39
tool) unless your HP Fortify customer support representative directs you to do so. To configure a proxy for Rulepack updates, you need the following: A current subscription to one or more Secure Coding Rulepacks The URL, port number, and username for the proxy server to use to update Secure Coding Rulepacks
To configure a proxy for Secure Coding Rulepacks updates: 1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.) 2. On the Core tab, configure the settings listed in the following table. Field Proxy for Rulepack Update Proxy Port Proxy Username Proxy Password Description Network name or IP address Port number associated with the network name or IP address specified as proxy Valid username for your Rulepack proxy server Valid password for your Rulepack proxy server
Note: Leave the Locale for Rulepacks box empty. Software Security Center does not support localized
40
41
To integrate with one of the supplied bug tracking systems: 1. Log on to Software Security Center as an administrator and click the Projects tab. 2. From the Projects page select a project version, and then click Edit. The Edit Project Version dialog box opens. 3. Click the Bug Tracker tab. 4. From the Bug Tracker list, select the bug tracker with which to integrate for this project version.
5. Complete the required fields, and then click Test. The Test Bug Tracker Configuration dialog box opens.
42
6. Type your bug tracker authentication credentials, and then click Test. 7. After you verify your connection to your bug tracker, click Save.
You can copy these files to the WEB-INF/classes path, and then check to make sure that the defaults are loaded correctly during plug-in selection.
43
JIRA Parameters
JIRA bug tracker requires a standard summary and bug description. It also accepts values for priority level, a due date for the fix, and the assignee. Software Security Center fetches values for the Issue Type and Affects Version fields dynamically from the bug-tracking system based on the selected project. If your JIRA project requires additional fields, then you may have to modify the plug-in before you use it. For guidance, see the plug-in authoring instructions Appendix A: Authoring Software Security Center Bug Tracker plug-ins on page 75, or contact HP Fortify technical support. Chapter 6, Logging On and Administering User Accounts on page 55.
HP ALM Parameters
In the HP ALM Defect Tracker - Submit Bug dialog box, select the following parameters which reflect your individual ALM installation: Bug Summary Bug Description ALM Domain ALM Project Severity
If your ALM project integrates with ALI (details below) you can observe that the defect description includes candidate changesets that could have possibly introduced the issue. There are several key several points of HP Fortify Software Security Center ALM integration to remember. In order for changeset discovery to be functional, the following conditions must be met: Each SCA scan must be tagged with a build-label, which HP Fortify Software Security Center uses to map the scan with a source-control revision number. This is achieved by including the -build-label <Revision_Number> command option while executing the source analyzer tool to translate source code into the HP Fortify analysis model.
44
The ALI extension must be enabled for the individual project in ALM and appropriate source control repositories must be configured. If the ALI extension was successfully enabled for the individual project you can view the Code Changes tab after you log on to ALM. ALM bugs are logged regardless of whether the changeset discovery requirements are met. If the prerequisites are not met, then the changeset discovery message is skipped. Currently, Subversion is the only source control repository supported for changeset discovery.
Note: To view an ALM bug, you must have the ALM browser plug-in installed and use an ALM-compatible
browser. For more information about ALI and ALM, see your Hewlett-Packard documentation for those products.
Bugzilla Parameters
Bugzilla parameters are as follows.
browser.
45
<appcontext>/ upload/*
Public
/ssc/upload/*
46
Description Required for rulepack updates from the client tools. Public access to the Software Security Center Process Guide must be provided to everyone within the enterprise.
Because of implementation details involved in the interaction with the Adobe Flash player and the web services libraries, the <appcontext>/transfer/*, <appcontext>/upload/*, and <appcontext>/download/* filters must be handled separately. 2 If you want to be able to run RulePack updates from within Audit Workbench, or the CLI FortifyUpdate, you must use the /<app_context>/d3srv resource filter. Note that the forward slash and asterisk (/*) are missing from the end of the filter. For this filter, you must replace <appcontext> with the application context for Software Security Center. Example: /ssc
47
Description
URL of the CloudScan Controller Select this check box to enable the polling of CloudScan Controller to retrieve job status. Interval that Software Security Center uses to poll the CloudScan Controller for job information. The default is 120 seconds. Password that Software Security Center uses when it requests data from the CloudScan Controller. The CloudScan Controller verifies the password when requested for administration console data. This string must match the value stored in the CloudScan Controller config.properties for the ssc_cloudctrl_secret key (see Step 2).
6. Click Save & Exit. Software Security Center will now display the CloudScan tab after a user logs on. For more information, see the Software Security Center Users Guide.
48
Note: For information about managing LDAP entities and user roles in Software Security Center, see Registering LDAP Entities with Software Security Center on page 58 and Managing LDAP User Roles on page 59.
Database-only Authentication
By default, when a user logs on to the Software Security Center user interface or uses an HP Fortify client to upload Fortify project results files, Software Security Center uses its database to authenticate that user. After authenticating a user, Software Security Center binds the authenticated user to his or her assigned Software Security Center User role (Administrator, Security Lead, Developer, or Auditor). The default database-only authentication method can be augmented by using LDAP to authenticate users. However, database-only authentication imposes a separate administrative process for creating and managing Software Security Center user accounts and roles. That separate administrative process is why most administrators prefer to augment Software Security Centers default database-only authentication with LDAP. LDAP authentication enables a single administrative process to create and manage user authentication for multiple network entities, including Software Security Center.
49
50
51
3. Complete the fields described in the following table. LDAP Configuration Parameter Enable LDAP Integration Cache LDAP User Data
Description Select this check box to enable the remaining fields required for LDAP integration. Select this check box to enable LDAP user data caching in Software Security Center. enabled. Changes to user information made directly in the LDAP server may not be reflected in Software Security Center for up to an hour. However, a slow connection between the Software Security Center and LDAP server, or a large LDAP directory with slow searches, could degrade Software Security Center performance. Typically, user data are seldom changed directly in the LDAP server.
Note: HP Fortify recommends that you leave LDAP user caching
Select this check box to enable nested group support for LDAP in Software Security Center.
Note: Use nested LDAP groups only if its absolutely necessary. Enabling nested LDAP groups forces Software Security Center to perform extra tree traversals during authentication.
Server URL
URL of the LDAP authentication server. If you use unsecured LDAP, use the following format:
ldap://<hostname>:<port>
LDAPS ensures that user credentials are encrypted before they are transmitted. Bind User DN Full distinguished name (DN) of the account Software Security Center uses to connect to the authentication server. The general format for an account specifier is as follows:
cn=<accountName>,ou=users,dc=<domainName>,dc=com
where accountName represents the minimum privilege, read-only authentication server account you created for exclusive use by Software Security Center.
Warning: Never use a users account name in a production environment.
If you use Active Directory, specify the full username with domain, in the following format:
<Domain_Name>\<Username>
Password for the Bind User DN account. Base Distinguished Name (DN) for LDAP directory structure searches. Example, the Base DN for companyName.com would be dc=companyName,dc=com. All DN values are case sensitive, must not contain extra spaces, and must exactly match LDAP server entries.
52
Description (Optional) Relative Distinguished Name (RDN) An RDN defines the starting point from the Base DN for LDAP directory searches. HP Fortify recommends searching from the base DN. However, if your LDAP directory is so large that searching for Software Security Center users takes too long, use an RDN to limit the number of LDAP entries searched. Example: To search within the base DN companyName.com and all entries under that base DN, specify the following:
cn=users
or
cn=users,ou=divisionName
to recursively search all entries under that path. Object class attribute Distinguished name (DN) attribute User class User username attribute User first name attribute User last name attribute User email attribute Group class Group name attribute Group member attribute Organizational unit class Organizational unit name attribute Class of the object. For example, objectClass. Full distinguished name of the object. Example: dn Object class that identifies an LDAP object type as a user. The default is organizationalPerson. User object attribute that specifies a username. The default is sAMAccountName. User object attribute that specifies a users first name. The default is givenName. User object attribute of a that specifies a users last name. The default is sn User object attribute that specifies a users email address. The default is mail. Object class that identifies an LDAP object type as a group. Group attribute that specifies the group name. The default is member. Group attribute that defines the members of the group. The default is group. Object class that indefinites an LDAP object as an organizational unit. The default is container. Group attribute that specifies the organizational unit name. The default is cn.
4. To test your LDAP connection, click Test LDAP. 5. After you successfully test the connection, click Save & Exit.
HP Fortify Software Security Center Installation and Configuration Guide 53
To enable Software Security Center to communicate with RTA: 1. Start the Software Security Center Configuration Tool. (For instructions, see Starting the Software Security Center Configuration Tool on page 36.) 2. Click the RTA tab. 3. Select the Enable RTA check box.
Warning: Do not change any other runtime settings unless HP Fortify Support specifically directs you
54
55
where [Port] represents the port number used by your application server. The default port is 8080.
Note: Although you can use insecure communication (http://[Host_IP]:[Port]/ssc), HP Fortify
strongly recommends that you use secure https protocol. The Software Security Center logon screen opens.
After you log on to Software Security Center, create at least one non-default administrator account and then delete the default admin account. For more information about managing Software Security Center user accounts and roles, see Overview of Software Security Center User Administration.
56
Administrator Accounts
Administrator accounts have complete access to all Software Security Center user and project version data. More important, an administrator-level account is the only kind that can: Create new user accounts Edit or delete other users accounts
HP Fortify recommends that, after you log on to Software Security Center for the first time, you create at least one non-default administrator account, and then delete the default admin account. After you create a nondefault administrator account, use that account to create Software Security Center Security Lead, Manager, and Developer user accounts.
data for the project versions to which they are assigned. All Software Security Center user account types can edit their own account information.
57
For information about how to configure Software Security Center user account timeout and lockout settings, see Configuring User Account Timeout and Lockout Settings on page 38. For more information about user account privileges, see the HP Fortify Software Security Center Users Guide.
4. Do the following: a. From the LDAP Entity list, select the type of LDAP entity to register. b. In the Name box, type the entity name. Click the search icon to validate the name entry in the LDAP server. For information about how to specify the LDAP server, see Configuring LDAP Server Options on page 51. c. Under Role(s), select the check box for at least one the Software Security Center roles for the selected LDAP entity. d. Click Save. Software Security Center adds the entity to its list of users.
58
59
4. Complete the fields described in the following table. Field *Required *Name Description
Description Type a descriptive name that provides some idea of what the attribute is for. Type a brief description that contains enough detail so that users understand exactly what the attribute is for. Your description is displayed under the attribute field in the Create Project Version wizard. Select this check box to require users to set this attribute while creating a project template. Select this check box to prevent the new attribute from being displayed in the Create Project Version wizard. From this list, select either Technical or Business to indicate the type of attribute you are creating. If your Software Security Center instance is integrated with WebInspect, the list also includes the Dynamic Scan Request category. Depending on the category you select, the attribute is displayed on either the Business Attributes step or the Technical Attributes step of the Create Project Version wizard.
HP Fortify Software Security Center Installation and Configuration Guide 60
Description From this list, select the value that indicates whether the attribute applies only to projects versions, runtime applications, or to both. From this list, select one of the following control types: To create a check box for the attribute, select Boolean. To create a calendar selection control for the attribute, select Date.
Note: This type is not available for Dynamic Scan Request attributes.
To create a list from which a user can select only a single value for the attribute, select List of Values - Single Selection. To create a list from which a user can select multiple values for the attribute, select List of Values - Multiple Selection. To create a field that accepts an integer value, select Number. To create a text field into which a user can type a single line of text, select
Text - Single Line.
To create a text field into which a user can type multiple lines of text, select
Text - Multiple Lines.
5. Click Save. The new attribute is available the next time a user creates a project version using the Create Project Version wizard.
61
In the examples provided in this chapter, [ssc_URL] represents a correctly formatted URL.
62
To perform the procedure described in this section, you must have the following: Your Software Security Center URL (See Specifying the Software Security Center URL on page 62.) A Software Security Center user account with privileges that allow you to use the fortifyclient access token
To use fortifyclient to acquire an analysis upload token: 1. In <ssc_install_dir>/Deployment/fortifyclient/bin, type the following:
fortifyclient -url [ssc_URL] token -gettoken AnalysisUploadToken -user [AccountName]
3. Copy the token returned by fortifyclient into a text file The ability of fortifyclient to use the token to read or write information to or from Software Security Center corresponds to the account privileges of the Software Security Center user account specified by the -user parameter.
The case-sensitive daysToLive parameter must be typed exactly as shown in this example.
63
where AdminAccountName is the name of a Software Security Center Administrator-level user account. 2. When prompted, type the password for the administrator-level user account. A list of the ID, owner, creation date, expiration date, and creation IP address for all fortifyclient authentication tokens is returned.
where [authtoken] is a valid fortifyclient authentication token. (You can also use the -user and -password parameters to specify user account credentials.) For all project versions accessible to the user account that created the token, the fortifyclient utility lists the project versions ID, name, and version number.
Uploading FPRs
A common task is to periodically upload FPRs to Software Security Center. Fortifyclient upload access tokens support the use of the AccessUploadToken token to conceal user credentials when using scripts to periodically upload FPRs to Software Security Center. To provide additional security, you can also use an access tokens DaysToLive parameter. You can upload FPR files using one of two methods described in this section: Using a Software Security Center Project Identifier to Upload FPR Files Using a Software Security Center Project and Project Version to Upload FPR Files
Note: To perform the procedures described in this section, you must first obtain an authentication token. (See
64
where
[ssc_URL] [token] [FPRname.fpr] [ID_Number]
represents the URL for your Software Security Center instance represents a valid fortifyclient authentication token represents the full pathname to the FPR file represents the Software Security Center project identifier
For information about how to acquire Software Security Center project identifiers, see Listing Project Versions on page 64.
Using a Software Security Center Project and Project Version to Upload FPR Files
To upload an FPR into a Software Security Center project version using the project name and version: 1. Navigate to the <ssc_install_dir>/Deployment/fortifyclient/bin directory. 2. Run the following:
fortifyclient -url [ssc_URL] -authtoken [token] uploadFPR -file [FPRname.fpr] -project [ProjectName] -version [ProjectVersion]
where
[ssc_URL] [token] [FPRname.fpr] [ProjectName] [ProjectVersion]
represents the URL for your Software Security Center instance represents a valid fortifyclient authentication token represents the full path to the FPR file represents the Software Security Center project name represents the Software Security Center project version that corresponds to the specified project name
65
Downloading FPRs
You can use fortifyclient to download FPRs by specifying either the Software Security Center identifier or the project version. This section provides the procedures to download FPRs using both methods.
where
[UserName]
represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the FPR file represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the FPR file represents the full pathname to the FPR file represents the Software Security Center project identifier
[password]
[FPRname.fpr] [ID_Number]
Software Security Center does not support the use of authentication tokens to download FPRs. For more information about how to acquire Software Security Center project identifiers, see Listing Project Versions on page 64.
where
[Username]
represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file represents the full pathname to the fpr file represents the Software Security Center project name represents the Software Security Center project version that corresponds to the named project
[Password]
66
where
[Username]
represents the user name for a Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file. represents the password for the Manager-level (or higher) Software Security Center account with access to the project version that contains the fpr file. represents the full pathname to the content bundle (.zip filename extension)
[Password]
[Bundle_Name]
Software Security Center does not support the use of access tokens to upload content bundles.
67
where
[AccountName]
represents the user name for a Manager, Security Lead, or Administrator account with access to the Software Security Center runtime application represents the password that corresponds to the [AccountName] specified for the Manager, Security Lead, or Administrator account that has access to the runtime application
[Password]
The fortifyclient command-line utility returns a list of numeric runtime application IDs and names.
68
where
[Account_Name]
represents the user name for a Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application represents the password that corresponds to the [Account_Name] specified for the Manager, Security Lead, or Administrator account with access to the runtime application represents the date of the first and last runtime events to include in the archive represents the numeric identifiers of the runtime applications to archive
[Password]
[mmddyy]
[AppID1,AppID2,...]
where
[Account_Name]
represents the name of the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application represents the password that corresponds to the [Account_Name] specified
[Password]
The fortifyclient command-line utility returns a list of numeric archive IDs, runtime application names, start dates, end dates, and restored status values (true or false).
69
where
[Account_Name]
represents the name associated with the Manager, Security Lead, or Administrator account that has access to the Software Security Center runtime application represents the password that corresponds to the [Account_Name] specified represents the numeric identifiers of one or more runtime archives to restore
[Password]
[AchiveID1,AchiveID2,...]
70
To perform the upgrade you must have Software Security Center version 2.65 or later installed. If your have an earlier version installed, see the 2.65 version of the HP Fortify Software Security Center Installation and Configuration Guide for instructions on how to upgrade to release 2.65, and then use the instructions in this guide to upgrade to the latest Software Security Center version. If you are upgrading from a Software Security Center version earlier than 2.5, contact Technical Support.
For more information about how to configure MySQL for use with Software Security Center, see Configuring MySQL Databases on page 29.
71
The Software Security Center database upgrade scripts require the same database privileges that the database creation scripts require.
6. Copy the database migration script from the sub-directory that matches your Software Security Center database type to the database server or other location from which you plan to run the scripts.
HP Fortify Software Security Center Installation and Configuration Guide 72
7. In the database client program, log on to the database account created for Software Security Center. You must use the same database account you initially created. For more information about creating a database account for use by Software Security Center, see Database Instance and Privileges Requirements on page 27. 8. Run the SQL migration script that you generated in Step 5. Keep a record of the output. If an error occurs, contact HP Fortify Support.
4. To seed the Software Security Center database with the default set of reports: a. Click Seed Reports. The Locate Report configuration file dialog box opens. b. Select the report seed bundle file (HP_Fortify_Report_Seed_Bundle_2012_Q2.zip), and then click
Open.
5. (Optional) To seed the Software Security Center database with the optional PCI Basic Bundle: a. Click Seed Reports. The Locate Report configuration file dialog box opens. b. Select the report seed bundle file (HP_Fortify_PCI_Basic_Seed_Bundle_2012_Q2.zip), and then click Open.
Note: For information about how to upload seed bundles from the command line, see Uploading Seed Bundles from the Command Line on page 35.
6. If you have not done so already, check to make sure that the other tabs within the Configuration Tool (Core, LDAP, E-mail Setup, and so on) are configured correctly. 7. Click Save & Exit. Next, update the war file. For instructions see Updating the WAR File.
73
If a database validation error message occurs, navigate to the <install_dir>/logs directory, open the ssc-configuration.log file in a text editor, and look for the cause of the error. If you can use the information in ssc-configuration.log to correct the error, re-seed the database with the version 3.70 seed bundles. If you cannot use the information in ssc-configuration.log to correct the error, contact HP Fortify Support for assistance.
74
Use Case
You (the Software Security Center administrator) can configure an external bug-tracking system to use with a given Software Security Center project version, as described in Chapter 5, Configuring Bug Tracker Integration on page 42. Software Security Center displays the required configuration parameter fields for the bug tracker you select, and you set the values for these just one time for the project version. After you test the bug-tracker configuration parameter values for validity (optional), you save them to the database for use whenever a user logs a defect for the project version. A user who submits a bug against a project version logs on to the bug-tracker, and then completes the required fields that the bug tracker supplies for the bug parameters. Required parameter information can include such items as summary, description, severity level, component, and so on. The plug-in framework supports a dynamic aspect to bug-tracking parameters. Whenever a user changes a parameter value, the plug-in detects the change and an updated list of bug parameters with new list selections becomes available. When a bug is filed, the bug ID is saved in the database against the issue. The user can then navigate to the bug using an external bug link, which the plug-in supplies. The credentials accepted from the user filing bug filing are saved in the server session, and are reused for bugs subsequently submitted against the project during the same session.
Project Setup
The bug tracker plug-in can be an independent project that you can write using your preferred IDE. Configure a bug tracker plug-in project with following dependencies: fortify-public-3.4.jar (required) Apache Commons Logging (optional) Apache Commons Lang (optional) Any other API jar that does not conflict with libraries already packaged with ssc.war
You can use your preferred build system to build your project distributable.
Implementation
All plug-ins must implement the com.fortify.pub.bugtracker.plugin.BugTrackerPlugin interface. HP Fortify strongly recommends that your implementation class extend com.fortify.pub.bugtracker.plugin.AbstractBugTrackerPlugin so that you can take advantage of any backward-compatibility support that becomes available in future releases. Additionally, you must annotate
75
the implementation class with @BugTrackerPluginImplementation. During runtime, Software Security Center scans its binaries to identify all classes marked with this annotation and loads them as plug-ins. The BugTrackerplug-in interface is as follows:
public public public public public public public public public interface BugTrackerPlugin { boolean requiresAuthentication(); List<BugTrackerConfig> getConfiguration(); void setConfiguration(Map<String, String> configuration); void testConfiguration(UserAuthenticationStore credentials); String getShortDisplayName(); String getLongDisplayName(); List<BugParam> getBugParameters(IssueDetail issueDetail, UserAuthenticationStore credentials); List<BugParam> onParameterChange(IssueDetail issueDetail, String changedParamIdentifier, List<BugParam> currentValues, UserAuthenticationStore credentials); Bug fileBug(BugSubmission bug, UserAuthenticationStore credentials); void validateCredentials(UserAuthenticationStore credentials); Bug fetchBugDetails(String bugId, UserAuthenticationStore credentials); String getBugDeepLink(String bugId);
getConfiguration
setConfiguration (call)
testConfiguration (call)
76
Description The getShortDisplayName method is used to return a short display name for the plug-in. This string is used to populate the list of available bug tracker plug-ins. The getLongDisplayName method is used to return a value that includes additional identification of the bug tracking system obtained from the configuration. This method is used, for example, when the user is prompted to provide credentials for a bug-tracking system. The getBugParameters method returns metadata about the bug parameters to present to users. Software Security Center supports the following three bug parameter types: BugParamText translates to a text box. BugParamTextArea translates to a multiple-line text box and is typically used for bug descriptions. BugParamChoice translates to a list. Bug summary and bug description are typically bug parameters and you can specify the default values for these fields using the issueDetail object that is passed to the method. The plug-inHelper protected member has a helper method to build a suggested default bug description. (See Plug-in Helper on page 78.)
getLongDisplayName
getBugParameters
onParameterChange
The plug-in framework calls the onParameterChange method whenever the value for a bug parameter marked as hasDependentParams (see BugParamChoice class javadoc) changes. This method can take action and return a new list of bug parameters to display. Keep the following guidelines in mind: Act on each bug parameter that has dependent parameters Do not forget handling case when parameter value changes to null (no selection made) Do not forget to set the parameter value in a return list to null when its selections change Before you add a new parameter, check the return list to make sure that it does not already include the parameter Return null if there is no change Use one of the following strategies: Modify the currentValues parameter and return it Construct the return value from raw parameters maintained. Set values and choice lists before returning.
77
Description This method files a bug on the external bug-tracking system. The BugSubmission object passed encompasses all bug details. Make sure that you correctly differentiate between the bug.getIssueDetail() object and the bug.getParams()object. The bug.getIssueDetail() object returns details of the issue, whereas the bug.getParams() object returns the bug parameter values that the user provides. If you added Bug Description as a user-editable bug parameter, then fetch the bug description from the bug.getParams() object instead of from the bug.getIssueDetail()object. The return value of the fileBug object must be a bugId, which can be used to fetch the bug with the fetchBug method and formulate the deep link with the getBugDeepLink method.
fetchBug getBugDeepLink
This method is used to fetch the current bug status. This method is used to formulate a deep link to the bug. If the bug tracker does not support a deep link, return null.
For a detailed explanation of each parameter and other supporting classes, see the public API javadoc.
Plug-in Helper
If your bug tracker plug-in class extended from the class AbstractBugTrackerPlugin provided, you will find a protected member BugTrackerPluginHelper available. This helper object can be used to perform frequently used plug-in operations for building bug descriptions, locating parameters, loading default values and so on. Please consult the javadoc for more details. Also look at its usage in the plug-in samples.
Error Handling
For proper error handling and reporting, use the following strategy across all plug-in methods to throw exceptions: Throw com.fortify.pub.bugtracker.support.BugTrackerException for any error that the user can act on. Example invalid configuration, errors arising from bug tracking system, bug tracking system failing, and so on. The error message with this exception is relayed back to the user and is expected to be user friendly. Throw com.fortify.pub.bugtracker.support.BugTrackerAuthenticationException if and only if credentials provided to the bug tracking system are incorrect. This exception results in cached bug tracker credentials being cleared. Throw RuntimeException or its subclasses for internal exceptions.
Almost Stateless
As soon as a plug-in object is instantiated, the setConfiguration call is made. The only state that should be saved within the plug-in are the configuration values provided by this method. From this point on, all plug-in calls are expected to be stateless. Plug-in instances should not maintain any state or leave open s, or try to use opened during previous call. Software Security Center does not cache or reuse plug-in instances across plug-in operations. New s should be opened on each call and cleanup should be done before method exit.
78
Changeset Discovery
If your bug-tracking system integrates with a version control system (as is the case with HP ALM), Software Security Center can provide additional information regarding the changesets that might have caused the issue for which bug was logged. Such plug-ins must also implement the following ChangesetDiscoveryPlugin interface. Extending AbstractBugTrackerAndChangesetDiscoveryPlugin is highly recommended.
public interface ChangesetDiscoveryPlugin { public List<String> queryChangesetsBetween(String greaterThanRevision, String lesserThanOrEqualToRevision, String touchingFilePath, Map<String,String> bugParams, UserAuthenticationStore credentials); }
If SCA scans are tagged with build revisions, this method can be used to query for changesets that were merged between when an issue was not seen and when it was first seen. The resulting discovery is made available to the fileBug method in the BugSubmission object.
Debugging
Apache Commons logging is supported in plug-ins. The resulting logs are appended into the file ssc.log located in the application server logs directory. All exceptions are automatically logged. You can also perform remote debugging of your plug-in by connecting to your application server from the plug-in project within your IDE.
Deployment
To deploy a bug tracker plug-in, you must to build a jar that contains the plug-in classes and any of its dependent classes. You must also prepare the library jar files that your plug-in uses and check to make sure that these libraries do not conflict with the jar files in the ssc.war file. 1. Start the Software Security Center configuration tool. (See Starting the Software Security Center Configuration Tool on page 36.) 2. Click the Bug Tracker Plugins tab. 3. Click Add/Replace Plugin Jar. 4. Add all the jar files and save. 5. Deploy the resulting war file.
79